The HR Director Who Shared Too Much
Last year, an HR director at a mid-sized manufacturing company forwarded an employee's medical leave documentation — including a detailed psychiatric diagnosis — to three department supervisors. Her reasoning? "They needed to know why he'd be out." Within six weeks, the employee filed a complaint with the Office for Civil Rights (OCR). Within six months, the company was deep into a federal investigation.
Employer HIPAA violations like this one happen constantly. They don't always start with malice. They start with a well-meaning manager who doesn't understand the rules. And they end with penalties that can gut an organization's budget and reputation overnight.
If you're an employer who handles any form of protected health information — through a group health plan, a self-insured arrangement, or even a wellness program — this post is for you. I'm going to walk you through what actually triggers enforcement, what most employers get wrong, and how to build a culture that keeps your organization off OCR's radar.
Do Employers Actually Qualify as Covered Entities?
Here's where confusion begins. Most employers are not covered entities under HIPAA simply because they employ people. HIPAA applies to health plans, health care clearinghouses, and health care providers who transmit health information electronically. Your company, as an employer, isn't automatically subject to HIPAA.
But the moment your organization sponsors a group health plan — and most do — part of your operation becomes a covered entity. That group health plan is subject to the HIPAA Privacy Rule and the HIPAA Security Rule. And if your HR team administers that plan, those individuals are handling PHI under HIPAA's jurisdiction.
Self-insured employers face even more exposure. When your company bears the financial risk for employee health claims, you're processing ePHI directly. Every claims report, every utilization review, every stop-loss filing contains protected health information that HIPAA governs.
The "Firewall" Most Employers Don't Build
HIPAA requires employers who sponsor group health plans to establish a clear separation between plan administration functions and employment functions. HHS calls this the "firewall" provision under 45 CFR § 164.504(f). In practice, it means the people who handle health plan data cannot share that data with managers making employment decisions.
I've seen this firewall violated more times than I can count. An HR generalist reviews claims data, then sits in on a termination meeting for the same employee. A benefits coordinator mentions to a supervisor that an employee's dependent has high-cost prescriptions. These aren't hypotheticals — they're patterns I encounter in nearly every compliance audit I conduct.
The Five Most Common Employer HIPAA Violations
1. Sharing Medical Information With Managers Who Don't Need It
This is the single most frequent violation I see. An employee discloses a health condition to HR as part of an FMLA request or ADA accommodation. HR then shares the specific diagnosis with the employee's direct supervisor — sometimes verbally, sometimes via email. The supervisor only needs to know the functional limitations and expected duration of absence. Never the diagnosis.
2. Failing to Secure Paper and Electronic Health Plan Records
Open filing cabinets in shared offices. Benefits spreadsheets stored on shared network drives without access controls. Enrollment forms left on printers. These are not minor infractions. OCR has made clear that the Security Rule requires administrative, physical, and technical safeguards for all ePHI — and the Privacy Rule demands reasonable safeguards for paper records.
3. Using Health Information in Employment Decisions
When health plan data leaks into hiring, firing, or promotion decisions, you've crossed a line that invites both HIPAA enforcement and employment discrimination claims under the ADA. I've consulted on cases where managers accessed claims data to identify "high-cost employees" before layoffs. That's not just a HIPAA violation — it's a litigation time bomb.
Our course Accessing Records: If It's Not Your Job, It's a Breach addresses exactly this scenario with practical scenarios your workforce will remember.
4. Mishandling Breach Notification Obligations
When a breach of unsecured PHI occurs, the HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media — within 60 days. Many employers who sponsor health plans don't even realize this obligation applies to them. They discover a breach, panic quietly, and hope no one notices. OCR notices.
If your team doesn't have a rehearsed incident response protocol, explore our First 60 Minutes: Incident Response training. The first hour after discovering a breach determines everything that follows.
5. Posting or Discussing Employee Health Details on Internal Channels
Slack messages. Teams chats. Internal emails. I've reviewed incident reports where managers discussed an employee's positive drug test result in a group chat, or where an HR assistant posted about an employee's workers' comp injury in a company-wide channel. Every one of these is a potential HIPAA violation when the information originated from the group health plan — and a state privacy law violation regardless.
Our Social Media & PHI course covers how digital communication platforms create new risk vectors that most policies haven't caught up with.
What Are the Penalties for Employer HIPAA Violations?
OCR enforces HIPAA through a tiered penalty structure that ranges from $141 per violation (for unknowing violations, adjusted annually for inflation) to $2,134,831 per violation category per year. Criminal penalties under 42 U.S.C. § 1320d-6 can reach $250,000 and ten years in prison for violations committed with intent to sell or use PHI for personal gain.
Real enforcement actions show the stakes clearly. In 2023, OCR settled with Yakima Valley Memorial Hospital for $240,000 after 23 security guards were found to have accessed patient medical records without a job-related purpose — a case driven by unauthorized access patterns that many employers replicate internally. You can review OCR's enforcement actions directly on the HHS Resolution Agreements page.
The financial penalty is often the smallest cost. Reputation damage, employee distrust, litigation expenses, and operational disruption typically dwarf the fine itself.
What Exactly Is PHI in an Employment Context?
This is the question I get asked most, and it deserves a direct answer for anyone searching.
Protected health information (PHI) in the employer context includes any individually identifiable health information that your group health plan creates, receives, maintains, or transmits. This covers enrollment records, claims data, explanation of benefits documents, utilization reports, and any health data connected to an identifiable employee or dependent.
What's not PHI under HIPAA? Medical information an employee voluntarily gives a supervisor outside the health plan context — like mentioning a cold — isn't plan-derived PHI. But be careful: that same information may still be protected under the ADA, state privacy laws, or GINA. The safest posture is to treat all employee medical information as confidential, regardless of source.
The $1.5 Million Question: Does Your Workforce Actually Understand the Rules?
In 2019, OCR settled with the University of Rochester Medical Center for $3 million after finding years of noncompliance with the Security Rule — including failure to encrypt ePHI on portable devices. The root cause? Inadequate workforce training and a failure to implement existing policies. You can review the details on the HHS press release.
Workforce training isn't a checkbox exercise. HIPAA requires covered entities to train all workforce members on policies and procedures relevant to their job functions. For employers sponsoring group health plans, that means every HR professional, benefits administrator, and manager with access to health plan data needs role-specific training — not a generic slide deck they click through once a year.
Browse our full HIPAA training catalog for courses built around real enforcement scenarios, not abstract regulatory language.
How to Protect Your Organization Starting This Week
- Audit your firewall. Identify every person who touches group health plan data. Confirm they're designated as plan administration workforce and that organizational documents reflect the separation required under 45 CFR Part 164, Subpart E.
- Restrict access immediately. Apply the minimum necessary standard. Claims data should be accessible only to those who need it for plan administration — not to line managers, not to executives, not to IT staff without a business need.
- Train with specificity. Generic compliance training doesn't change behavior. Role-specific scenarios — "You just received a subpoena for an employee's health records, what do you do?" — create lasting understanding.
- Document everything. Every policy, every training session, every access log. OCR's first request during an investigation is documentation. If you can't produce it, you've already lost.
- Establish an incident response plan. Not a binder on a shelf — a rehearsed, time-bound protocol your team can execute under pressure within the first 60 minutes of discovering a potential breach.
Employer HIPAA Violations Are Preventable — But Only If You Act
Every employer HIPAA violation I've investigated shares a common thread: someone assumed the rules didn't apply to them. They thought HIPAA was only for hospitals. They thought HR could share whatever they wanted internally. They thought a verbal disclosure didn't count.
It all counts. OCR doesn't grade on intent — it grades on outcomes. Your group health plan is a covered entity. Your workforce members who administer it are subject to HIPAA. And the PHI they handle deserves the same rigor you'd expect from any hospital or health insurer.
The employers who avoid violations aren't the ones with the biggest legal budgets. They're the ones who train relentlessly, restrict access ruthlessly, and treat every piece of employee health data like the liability it is.